MirrorMirror
/
funkwhale
mirror of https://dev.funkwhale.audio/funkwhale/funkwhale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix #1999: broken federation with pods using allow-listing

This commit is contained in:
Agate 2020-08-24 13:43:31 +02:00
parent e309e93d3b
commit 641e1525ac
5 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
api/funkwhale_api/federation/actors.py
View File

@ -13,6 +13,7 @@ logger = logging.getLogger(__name__)
def get_actor_data(actor_url): def get_actor_data(actor_url):
logger.debug("Fetching actor %s", actor_url)
response = session.get_session().get( response = session.get_session().get(
actor_url, headers={"Accept": "application/activity+json"}, actor_url, headers={"Accept": "application/activity+json"},
) )

5
api/funkwhale_api/federation/authentication.py
View File

@ -46,15 +46,14 @@ class SignatureAuthentication(authentication.BaseAuthentication):
domain = urllib.parse.urlparse(actor_url).hostname domain = urllib.parse.urlparse(actor_url).hostname
allowed = models.Domain.objects.filter(name=domain, allowed=True).exists() allowed = models.Domain.objects.filter(name=domain, allowed=True).exists()
if not allowed: if not allowed:
logger.debug("Actor domain %s is not on allow-list", domain)
raise exceptions.BlockedActorOrDomain() raise exceptions.BlockedActorOrDomain()
try: try:
actor = actors.get_actor(actor_url) actor = actors.get_actor(actor_url)
except Exception as e: except Exception as e:
logger.info( logger.info(
"Discarding HTTP request from blocked actor/domain %s, %s", "Discarding HTTP request from actor/domain %s, %s", actor_url, str(e),
actor_url,
str(e),
) )
raise rest_exceptions.AuthenticationFailed( raise rest_exceptions.AuthenticationFailed(
"Cannot fetch remote actor to authenticate signature" "Cannot fetch remote actor to authenticate signature"

7
api/funkwhale_api/federation/views.py
View File

@ -111,6 +111,13 @@ class ActorViewSet(FederationMixin, mixins.RetrieveModelMixin, viewsets.GenericV
queryset = super().get_queryset() queryset = super().get_queryset()
return queryset.exclude(channel__attributed_to=actors.get_service_actor()) return queryset.exclude(channel__attributed_to=actors.get_service_actor())
def get_permissions(self):
# cf #1999 it must be possible to fetch actors without being authenticated
# otherwise we end up in a loop
if self.action == "retrieve":
return []
return super().get_permissions()
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):
instance = self.get_object() instance = self.get_object()
if utils.should_redirect_ap_to_html(request.headers.get("accept")): if utils.should_redirect_ap_to_html(request.headers.get("accept")):

13
api/tests/federation/test_views.py
View File

@ -12,7 +12,7 @@ from funkwhale_api.federation import (
) )
def test_authenticate_skips_anonymous_fetch_when_allow_list_enabled( def test_authenticate_allows_anonymous_actor_fetch_when_allow_list_enabled(
preferences, api_client preferences, api_client
): ):
preferences["moderation__allow_list_enabled"] = True preferences["moderation__allow_list_enabled"] = True
@ -23,6 +23,17 @@ def test_authenticate_skips_anonymous_fetch_when_allow_list_enabled(
) )
response = api_client.get(url) response = api_client.get(url)
assert response.status_code == 200
def test_authenticate_skips_anonymous_fetch_when_allow_list_enabled(
preferences, api_client, factories
):
preferences["moderation__allow_list_enabled"] = True
library = factories["music.Library"]()
url = reverse("federation:music:libraries-detail", kwargs={"uuid": library.uuid},)
response = api_client.get(url)
assert response.status_code == 403 assert response.status_code == 403

1
changes/changelog.d/1999.bugfix Normal file
View File

@ -0,0 +1 @@
Fixed broken federation with pods using allow-listing (#1999)